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Description 

In hierarchical computer systems, protection 
checking must occur whenever a process having 
lower privilege desires to call on a system wide 
service routine having higher privilege. Several lev- 
els of privilege are usually provided in such sys- 
tems including a highest privilege available only to 
the operating system* one or more intermediate 
privilege levels available to either the operating 
system or intermediate program supervisors, and a 
lowest privilege level available to unprivileged oper- 
ations and to user programs. When a user program 
needs to call the computer operating system to do 
something which can only be accomplished by the 
operating system itself, such as access a section of 
the physical memory in a virtually addressed com- 
puter memory, some form of protection must be 
provided so that the user program can only use the 
highly privileged routine in an orderly way. Without 
some form of protection there would be no data 
security in the system and any program would 
have unlimited access to all of the system data or 
a user program could actually destroy the operat- 
ing system itself, both of which are unacceptable in 
most commercial systems. For example, if a pay- 
roll file is stored on the computer system and the 
system lacked privilege protection, someone could 
merely write a user program to give himself a 
raise. 

Such protection checking is a frequent opera- 
tion that usually involves significant system re- 
sources in validating the privileges and access 
rights of the calling routine, resulting in a substan- 
tial degradation in system performance. Previous 
systems have frequently used "supervisor call" 
instructions to limit the number of entry points 
available into the operating system. With such su- 
pervisor call instructions, a user program seeking 
higher privilege actually causes a hardware inter- 
rupt of the system processor, during which the 
system will branch to a single operating system 
location. The operating system must then figure out 
what it was that the user wanted to do, branch out 
through a large privilege dispatch table, perform 
the desired operation, return to the single operating 
system location, store all the desired system 
states, and return to the user program. Not only is 
such a supervisor call time consuming, but such a 
system requires the supervisor call to be a unique 
instruction which is different from other normal 
procedure calls. 

US-A-41 77510 describes a system for prevent- 
ing unauthorised access from a lower privilege 
level to a higher privilege level in a hierarchical 
computer system. However, not only is the calling 
checked to see if there is sufficient access rights to 
make a procedure call, but also a second check is 



made to ensure that the location of code to be 
executed is within an approved list. Therefore, two 
checks are required before the higher privilege is 
granted. 

5 The present invention uses a "gateway" in- 

struction which is a branch instruction enabling 
privilege checking in a computer system with only 
one check on user access. In addition, the gateway 
instruction permits an unlimited number of entry 

w points into the operating system. Higher privilege 
services can be called using the same subroutine 
calling convention as is used for calling other pro- 
cedures within the computer system so that the 
code that is compiled in the lower privileged rou- 
ts tines in seeking a higher privilege level is the same 
as a "normal" procedure call. If the page of virtual 
memory on which the called entry point resides is 
one of a set of gateway types, then the gateway 
instruction will cause the routine's privilege to be 

20 raised to the level specified by the page itself, 
permitting the further desired execution requiring 
the higher privilege level, unless the routine's privi- 
lege is already greater than that of the page, in 
which case no change in privilege level is required. 

25 The actual security check is performed by first 

checking the state of the privilege level of the 
currently running process against the bits in a 
seven bit access rights field associated with the 
virtual page address of the called routine during the 

30 virtual address translation performed by a Transla- 
tion Lookaside Buffer (TLB). If the caller's privilege 
level is within bounds, the TLB permits the calling 
routine to execute instructions on the targeted vir- 
tual page. Execution of the gateway instruction will 

35 then proceed to branch to the location indicated by 
the gateway with the needed privilege level sup- 
plied by other bits in the access rights field of the 
TLB entry. However, if a calling routine attempts to 
execute on a page which requires higher or lower 

40 privilege than the routine currently has, the TLB will 
inhibit execution of instructions, including gateway 
instructions, with a software trap, so that the calling 
routine never performs the unpermitted instruction. 
Since this protection scheme can be nearly the 

45 same as that used to prevent the performance of 
other instructions from an unpermitted page, the 
gateway protection can be structurally the same as 
other instructions in the system. 

Thus, the gateway instruction acts like a nor- 

50 mal branch instruction relative to the state of the 
program counter (i.e., a PC relative branch). In 
addition, the gateway instruction also saves the 
original privilege level of the calling routine in a 
general register specified by a field of the gateway 

55 branch. This register is, by convention, the register 
containing the return link to the calling routine, the 
low-order bits of which are the two-bit privilege 
level of the caller. Since execution of the gateway 
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instruction forces these two bits to the caller's 
actual privilege level, it is impossible for the calling 
routine to forge a return link which could cause 
return to the caller with higher privilege. 

Also, if the routine called by the calling routine 
requires the services of an even more privileged 
routine, the called routine may itself call through 
another gateway, as before. 

Finally, in a computer system which permits 
delayed branches, such as in a conventional 
pipelined machine in which delayed instructions 
are not actually executed until a given number of 
machine cycles (the delay period) after the delayed 
instruction is begun, one caution must be exercised 
with the gateway instructions: The calling routine 
must not be permitted to execute a gateway in- 
struction in the delay period of a taken branch, 
since this would result in execution of the gateway 
(and privilege promotion) followed by a change of 
control back to the calling routine at higher privi- 
lege. The effect of such an operation would be for 
the calling routine to effectively promote its own 
privilege level without control of the operating sys- 
tem, thus destroying the entire protection checking 
mechanism. 

Brief Description of the Drawing 

Figure 1 shows an overall computer system 
block diagram for utilizing a protection system ac- 
cording to a preferred embodiment of the present 
invention. 

Figure 2 shows a flow chart for protecting the 
system shown in Figure 1 . 

Figure 3 shows the structure of a Target Regis- 
ter for holding the original privilege level of a 
calling routine during the execution of a gateway 
instruction according to the present invention. 

Figure 4 shows a block diagram of a memory 
page containing a gateway instruction according to 
a preferred embodiment of the present invention. 

Figure 5 shows a table containing access rights 
for use according to a preferred embodiment of the 
present invention. 

Figure 6 shows a processor status word with 
the system shown in Figure 1 . 

Description of the Preferred Embodiment 

Figure 1 shows a block diagram of a pipelined 
computer system 10 for using a gateway instruc- 
tion according to the present invention and Figure 
2 shows a flow chart for using the gateway instruc- 
tion for protecting the system 10. An Instruction 
Unit 20 contains a low privilege routine which re- 
quires a procedure call to a higher privileged ser- 
vice routine. The Instruction Unit 20 seeks this 
higher privileged routine by addressing the Trans- 



lation Lookaside Buffer (TLB) 30 via the Virtual 
Address Bus 35 to determine the location in Phys- 
ical Memory 40 containing an appropriate entry 
point of a gateway instruction. Typically, the var- 

5 ious entry points of the gateway instructions are 
published within the system documentation for pro- 
gramming use. The TLB 30 calculates the address 
of the desired entry point within the Physical Mem- 
ory 40 and a gateway instruction located at the 

70 calculated address is then transmitted via a Next 
Instruction Bus 50 from the Physical Memory 40 to 
the Instruction Unit 20, to an Execution Unit 60 and 
to a physical Target Register 70 within the Register 
File 80. 

is A return address for returning from the higher 

privileged service routine is then stored in the 
Target Register 70 by the Instruction Unit 20 via a 
Results Bus 85. The Target Register 70 as shown 
in Figure 3 contains the return address in Address 

20 Location 300 with the original, lower privilege level 
stored in two lower order bits 310. The TLB 30 
then checks the access rights of the calling instruc- 
tion as will be described shortly to determine if 
execute access is permitted. If execute access is 

25 denied by the TLB 30, a software trap is transmit- 
ted from the TLB 30 to the Instruction Unit 20 on a 
Trap Control Bus 90 to halt execution of the gate- 
way instruction in the Execution Unit 60. If execute 
access is allowed by the TLB 30, and no delayed 

30 taken branch is pending, the gateway instruction 
resaves the actual privilege level of the calling 
routine in the two low-order bits of Target Register 
70 (to rule out forgery by the calling routine), and 
raises the privilege level of the calling routine to 

35 the privilege level specified within the page type 
field 412 of the TLB entry for the page containing 
the gateway instruction, and a target address for 
branching to a called routine is calculated in either 
the Instruction Unit 20 or the Execution Unit 60, as 

40 appropriate. A target instruction located at the tar- 
get address is then fetched from the physical 
Memory 40 on the next instruction cycle of the 
system 10 for use in the Instruction Unit 20 and 
execution of the called service routine having the 

45 desired higher privilege proceeds in the Execution 
Unit 60. The gateway instruction therefore performs 
as a delayed branch from the entry point to the 
target instruction. 

After the finally called service routine is corn- 
so pleted, the Execution Unit 60 reads the return ad- 
dress stored in the Target Register 70 via the 
Results Bus 85 and returns to the calling routine at 
the specified return address with the original lower 
privilege stored in the Target Register 70. 
55 The actual security protection by the TLB 30 is 

the same for "normal" instructions as for accessing 
a gateway instruction, and is performed with a 
granularity of an entire page of virtual memory. 
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That is, once the execution access rights of a 
calling routine have been verified by the TLB 30, 
the calling routine wili have execute access to all of 
the information on a virtual memory page 410, 
including a gateway instruction 430 as shown in 5 
Figure 4. Each virtual page 410 has associated with 
it a page characteristic 400 containing access 
rights to the page and an access identifier. The 
page characteristic 400 is compared to the calling 
routine's access type (read, write, or execute), io 
privilege level, and a set of protection identifiers to 
check if the calling routine is allowed to read, write 
or execute on that memory page 410. The access 
rights are encoded in the seven bits of the page 
characteristic 400 with the first three bits 412 75 
specifying a page type, and the last four bits 415 
being two privilege level fields specifying the most 
or least privilege that the calling routine can have 
to be permitted to use the page 410. Figure 5 
shows how the access rights are encoded in the 20 
page characteristic 400, with XL EAST and XMOST 
being the least and most privileged levels that can 
execute, and READ and WRITE fields specifying 
the least privileged field that can have access to 
the page 410. Thus there are three types of access 25 
possible (read, write, and execute) for "normal" 
system functions, with loads checking only read 
access, stores checking only write access, and 
instruction fetch checking only execute access 
within XLEAST to XMOST bounds. In general, four 30 
different types of gateway pages as shown in Fig- 
ure 5 (i.e., Proprietary/Gateways 0, 1, 2, and 3) are 
sufficient for defining the desired number of dif- 
ferent privilege levels within the system 10. With 
four different privilege levels, only two of bits 412 35 
are required to define the four different states (00, 
01 , 10, and 11) of the gateways, and it is these two 
bits which determine the privilege level resulting 
from execution of a gateway instruction on the 
corresponding page. 40 

As mentioned previously, gateway instructions 
cannot be permitted during the pipeline delay pe- 
riod of a taken branch instruction. In order to pre- 
vent this occurrence, a B-bit in a status word 600 
as shown in Figure 6 within the Instruction Unit 20 45 
(see Figure 1) is set to indicate whether a taken 
delay branch is pending. The B-bit is set by the 
Instruction Unit 20 on any taken branch, is true 
during the pipeline delay period, and is cleared by 
the Instruction Unit 20 on the next pipeline cycle so 
after the delay period. Thus, as shown in Figure 2, 
if a gateway instruction is attempted while a taken 
branch is pending, the gateway will be trapped as 
invalid to prevent the calling routine from promoting 
its own privilege level. 55 

Claims 
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1. A method of preventing unauthorised access 
from a lower privilege level to a higher privi- 
lege level in a hierarchical computer system, 
said computer system having a memory and 
an instruction unit, which method is carried out 
when a calling routine having an original low 
privilege level desires to calf on a service 
routine having a higher privilege level than the 
calling routine is normally permitted to access, 
the method comprising the steps of reading an 
access rights field contained in the instruction 
unit to determine current access rights of the 
calling routine, reading an access rights field of 
a page in the memory containing a gateway 
instruction indicated by the calling routine, and 
comparing the access rights field of the calling 
routine to the access rights field of the page in 
memory containing the gateway instruction in- 
dicated by the calling routine; the method be- 
ing characterised by: 

(a) raising the low privilege level of the 
calling routine to the higher privilege level 
specified by the page containing the gate- 
way instruction if the access rights field of 
the calling routine indicates that the calling 
routine is permitted entry to the page con- 
taining the gateway instruction; 

(b) storing the low privilege level of the 
calling routine in a physical target register 
of the calling routine, so that the calling 
routine cannot forge its privilege level; 

(c) branching to a location of the service 
routine as specified by the gateway instruc- 
tion under control of the service routine; 

(d) executing the service routine; and 

(e) returning control to the calling routine at 
an address specified by the target register 
with the original low privilege level stored in 
the target register. 

2. A method according to claim 1 further com- 
prising the step of trapping the execution of 
the gateway instruction if the access rights 
field of the calling routine does not indicate 
that the calling routine is permitted entry to the 
page containing the gateway instruction. 

3. A method according to claim 1 wherein the 
computer system has delayed branch instruc- 
tions with a specified delay period, comprising 
the step of trapping the execution of the gate- 
way instruction if the delayed branch is pend- 
ing when the access rights of the calling rou- 
tine and the access rights of the page contain- 
ing the gateway instruction are compared. 

Revendications 
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1. Un procede destine a empecher, dans un sys- 
tems d'ordinateur hierarchique, un acces non 
autorise depuis un niveau de privilege inferieur 
vers un niveau de privilege superieur, ledit 
systeme d'ordinateur comportant une memoire 
et une unite destructions ledit procede etant 
execute lorsqu'un programme d'appel d'un bas 
niveau de privilege a Torigine souhaite appeler 
un programme de service a niveau de privile- 
ge superieur a cefui auquel le programme ap- 
pelant est normalement autorise a acceder, le 
procede comprenant les etapes consistant a 
lire un champ de droits d'acces contenu dans 
I'unite destructions pour determiner les droits 

-d'acces actueis du programme appelant, a lire 
un champ de droits d'acces d'une page dans 
la memoire contenant une instruction de pas- 
sage indiquee par le programme appelant, et a 
comparer le champ de droits d'acces du pro- 
gramme appelant avec le champ de droits 
d'acces de la page de memoire contenant 
['instruction de passage indiquee par le pro- 
gramme appelant; le procede etant caracterise* 
par les etapes consistant a: 

(a) elever le bas niveau de privilege du 
programme appelant au niveau superieur de 
privilege specifie par la page contenant 
Instruction de passage si le champ de 
droits d'acces du programme appelant indi- 
que que le programme appelant est autorise 
a entrer dans la page contenant Instruction 
de passage; 

(b) memoriser le bas niveau de privilege du 
programme appelant dans un registre de 
cibie physique du programme appelant, de 
fagon que le programme appelant ne puisse 
pas falsifier son niveau de privilege; 

(c) effectuer un branchement vers un em- 
placement du programme de service tel 
que spe"cifie* par IMnstruction de passage 
sousla commande du programme de servi- 
ce; 

(d) executer le programme de service; et 

(e) renvoyer la commande au programme 
appelant, a une adresse specifiee par le 
registre de cible, avec le bas niveau de 
privilege d'origine memorise dans le regis- 
tre de cibie. 

2. Un procede selon la revendication 1 compre- 
nant en outre l'6tape consistant a pieger I'exe- 
cution de instruction de passage si le champ 
de droits d'acces du programme appelant n'in- 
dique pas que le programme appelant est au- 
torise a entrer dans la page contenant instruc- 
tion de passage. 

a Un procede seton la revendication 1 dans le- 
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quel le systeme d'ordinateur possede des ins- 
tructions de branchement retardees d'une pe- 
riode de retard specifiee, comprenant I'etape 
consistant a pieger ('execution de instruction 
de passage si le branchement retarde est en 
cours lorsque les droits d'acces du programme 
appelant et les droits d'acces de la page 
contenant instruction de passage sont compa- 
res. 

Patentanspriiche 



1. Verfahren zum Vorbeugen gegen unautorisier- 
ten Zugriff von einer niedriger privilegierten 
75 Stufe auf eine hoher privilegierte Stufe in ei- 

nem hierarchischen Computersystem, wobei 
das Computersystem einen Speicher und eine 
Befehlseinheit umfaflt, wobei das Verfahren 
ausgefuhrt wird, wenn eine anfordernde Routi- 
20 ne einer ursprunglich gering privilegierten Stu- 

fe eine Dienstroutine aufrufen will, welche eine 
Stufe hat, die hoher priviiegiert ist, als dafi die 
anfordernde Routine normalerweise darauf 
zugreifen durfte, wobei das Verfahren die fol- 
25 genden Schritte umfaBt: Auslesen eines Zug- 

riffsrechtsfeldes in der Befehlseinheit, urn aktu- 
elle Zugriffsrechte der anfordernden Routine 
festzulegen, Lesen eines Zugriffsrechtsfeldes 
auf einer Seite in dem Speicher, die einen von 
30 der anfordernden Routine angezeigten Uberga- 

bebefehl beinhaltet, und Vergleichen des Zug- 
riffsrechtsfeldes der anfordernden Routine mit 
dem Zugriffsrechtsfeld der Seite in dem Spei- 
cher, die den von der anfordernden Routine 
35 angezeigten Ubergabebefeh! beinhaltet. wobei 

das Verfahren gekennzeichnet ist durch: 
a) Anheben der gering privilegierten Stufe 
der anfordernden Routine auf die hoher pri- 
vilegierte Stufe, die von der den Ubergabe- 
40 befehl beinhaltenden Seite bestimmt ist, 

wenn das Zugriffsrechtsfeld der anfordern- 
den Routine anzeigt, da/3 der anfordernden 
Routine der Zugang zu der den Obergabe- 
befehl beinhaltenden Seite gewahrt wird; 
45 b) Speichern der gering privilegierten Stufe 

der anfordernden Routine in einem physika- 
lischen Zielregister der anfordernden Routi- 
ne, so da/3 die anfordernde Routine ihre 
Privilegierungsstufe nicht verfalschen kann; 
50 c) Springen zu einer Stelle der Dienstrouti- 

ne. wie sie von dem Obergabebefehl unter 
— Steuerung durch die Dienstroutine bestimmt 

ist; 

d) Ausfuhren der Dienstroutine; und 
55 e ) Zuruckgeben der Steuerung an die anfor- 

dernde Routine an einer Adresse, die von 
dem Zielregister bestimmt ist. und zwar mit 
der ursprQngtichen gering privilegierten Stu- 
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fe, die in dem Zielregister gespeichert ist. 

2. Verfahren nach Anspruch 1 , das ferner folgen- 
den Schritt umfa/$t: Stoppen der AusfGhrung 

des Ubergabebefehls, wenn das Zugriffsrechts- 5 
feld der anfordernden Routine nicht anzeigt, 
daJ3 der anfordernden Routine Zugang zu der 
den Ubergabebefehl beinhaltenden Seite ge- 
wahrt wird. 

70 

3. Verfahren nach Anspruch 1, wobei das Com- 
putersystem verzogerte Sprungbefehle mit ei- 
ner bestimmten Verzogerungszeit umfaflt, die 
den Schritt des Stoppens der AusfGhrung des 
Obergabebefehts beinhalten, wenn der verzo- 15 
gerte Sprung ansteht, wenn die Zugriffsrechte 

der anfordernden Routine und die Zugriffsrech- 
te der den Obergabebefehl enthaltenden Seite 
vergiichen werden. 

20 



25 



30 



35 



) 

40 



45 



50 
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